A Look Inside the Pass-the-PRT Attack

Discover what a Primary Refresh Token is and how cyber-criminals are exploiting it in two different ways to launch Azure Active Directory attacks.

Like an NT hash (AKA NTLM hash) and a Kerberos ticket, a Primary Refresh Token (PRT) can be passed in an attack. Mimikatz author Benjamin Delpy and Dirk-jan Mollema have both released detailed research and code showing how attackers could Pass-the-PRT to perform the lateral movement to the cloud.

Here we take a brief look at what a PRT is and how cyber-criminals could exploit it to launch attacks.

Do you know how hackers can enter your system? Find out on CQURE CyberBytes training and learn from Paula J  where are points of entry to your infrastructure.